Him, an adventurer, CISO, soldier, Marine, law officer, author, professor, spy, yachty, motorcyclist, photographer. Her, was the church lady librarian, got divorced, joined a motorcycle gang, became a hacker, and world adventurer.

DerbyCon 2014, Higher Education Panel for Hackers

Members of the panel are Bill Gardner @oncee, Ray Davidson @RayDavidson, Adrian Crenshaw @irongeek_adc, Me! @selil @DrWhomPhD Rob Jorgensen. The members of the panel were great and I felt honored to be included.

After the video feel free to read through my notes on the questions we were expecting. Some answers may challenge you and some may piss you off.

1) Is there a meaningful difference between education and training?

The pyramid (required by Lenny Zeltser) that depicts the increasing focus of theory within the levels of higher education. (click to make larger).

The often quoted and I’m not sure where it came from answer is a query in response. “Do you want your daughter to get sex education at school or sex training?” Though risqué it is a valid response. Where you can have knowledge of driving it is better to have training. A few terms have to be defined at first. The OPM identifies knowledge, skills and abilities as

Knowledge, Skills, and Abilities (KSAs) – The attributes required to perform a job and are generally demonstrated through qualifying service, education, or training.Knowledge – Is a body of information applied directly to the performance of a function.Skill – Is an observable competence to perform a learned psychomotor act.Ability – Is competence to perform an observable behavior or a behavior that results in an observable product.

I look at knowledge as the things you have been taught. It is the theory, concepts, and all of the associated things around a topic. I see skill as the inherent capability of accomplishing some task. Ability is the assessable outcomes of the demonstrated fusion of knowledge and skill towards some observable phenomenon. Education focuses on doing mostly knowledge and some skills, where training focuses on skill with just enough knowledge. As I say in the video knowledge creates flexible thinking and more importantly allows for growth and adaptation of skill.

2) What is the role of certifications, and accreditation?

There are a few forms of certification and accreditation here. At the panel we didn’t dig into them to much but I’d like to at least aliterate them here.

Degrees are accredited by states and often by groups like ABET. Those accreditations are the legal ability to offer the degree and the level or attainment by the program offering the degree of a certain level of assessed quality. This can be of value to the student as certain things like ABET accreditation mean they can apply to certain jobs with the federal government or take certain certification exams right out of school. Which leads to certifications.

There are certificates and certification. A university may offer a certificate which is usually a part of a degree path. I have a graduate (post baccalaureate) certificate in information assurance education. You can also get external certifications that are vendor neutral to say you have particular knowledge or skills. I for example have a CISSP which is not taught at the university specifically but reflects an external entity having assessed my knowledge/skills. Finally there are vendor specific certifications like Cisco and Microsoft offer. I have none of these but am not opposed to them.

The certificates and certifications serve the purpose of auditing knowledge or showing specific areas of knowledge, skills and abilities. At Purdue the Purdue Polytechnic (I’m opposed to some elements and support others of this big initiative) has proposed external certification for all students passing through the program. In other words they would have to pass some external certification of their knowledge showing that they have passed some bar (like the Law Bar) outside of the control of the university. It impacts the student and university by showing external audit and credibility.

There are other forms of accreditation like the NSA/CAE or DC3/CDFAE from government entities. Those are often discounted or mean nothing to students who haven’t got the insider knowledge to understand what they mean. In general it usually means that the student may have the opportunity to NOT pay for school. Another topic out of scope in this question.

3) Are real world skills being imparted?

With apologies to XKCD I helped fix the original comic. (click to make larger)

That depends on the skills and definition of “real world”. Any student entering a program today will likely exit a baccalaureate program in four to five years time. Stuff they learn today will be aged by that same amount of time. If that is a “skill” then it won’t be very applicable to the real world. If it is knowledge (especially a pattern of capabilities) it will be very useable. Knowledge allows the student to adapt, change, and innovate on skills usage.

If I am building nuclear weapons I had better have better than most knowledge of physics. If I am even doing just the programming that is likely true. The fact is that knowledge is often task dependent at a specific point and time. The bad part is you often can’t pick up knowledge adequately to accomplish some task whereas a skill can often be taught nearly just in time (not always but often).

If the question is about the ability to pop a box or do some other very specific activity it will depend heavily on the specific program of study. As programs move from applied to theoretical it can be the difference between ability to do a task. However, without the theoretical knowledge existing a student may not be able to adapt tools, techniques or procedures. The balance between the two is really dependent on the student. Some students learn and adapt knowledge quickly and some students can never adapt. They learn to click here and do that and never anything else. Student should reflect on who they are and scope their education around that.

4) Is it worth the cost?

Cost to whom? The average university education is made up of four or five entities paying some part of a students education. The student may pay some of their education. The parents or a loan institution may pay another part of the students education. The endowment of the university is usually paying at least some part of the students hidden tuition bill. A research program or grant may be paying another part of the students education. Finally the federal government and state often foot a large part of the students hidden education costs.

What a student gets in benefit from a college education often has more to do with the student than the program. A great student in a bad program will do well, and a bad student in a great program will fail. The activities of the student in and out of class will often be the most important indicators of success to a faculty member. Given a particular student in a particular class I have told students before that they are not getting their moneys worth. Not because they weren’t given the opportunity but because they didn’t take it.

College is only worth the cost if you include the sweat equity. Otherwise don’t spend the cash on the education. The primary cost of a college education is not dollars. It is your time away from the world. You can always make money you can never make time. If you are not pushing the envelope in college and draining your professors dry you are not utilizing your time effectively.

5) Are the degrees recognized?

In most cases the answer to this is yes. The better question is what is the best degree. The most recognized entry degree for information security is computer science.

6) Who has a good program?

CERIAS at Purdue is one of the original four programs in the nation accredited by NSA. It produces many of the people who have become faculty and top researchers in the nation. Many people have at least some passing recognition of the program. Some of that is length of existence, but mostly it is because they do cool stuff. Other great programs then take on different flavors. I’m not a fan of Alan Paller but SANS is a top notch program with awesome faculty. I am a total fan of several faculty and course designers at SANS who are simply spectacular.

There are other programs around the nation but then you have to look at whether you want a research program or an applied program or some other false dichotomy. I look at research as application of knowledge and further the discipline but I am not like a lot of other faculty. There is no reason research has to be “not” applied in mind. That particular mindset drives some faculty nuts.

7) What are the benefits, risks, and pitfalls of a university education for the hacker?

The core benefit of a university education is learning to think. The ability to structure your thinking around challenging core assumptions and evaluating those assumptions toward answering a problem effectively. Unfortunately most people focus on the trivial elements of a problem as evidence and miss that the entire question is structured fallaciously. I tell my students that answers are a dime a dozen. Questions that are structured correctly are much harder to reach. Of course, the degree is often a barrier to entry when working for other people but I see a trend where people work for themselves and that benefit being eroded.

There are risks and pitfalls. I am very cognizant of the time commitment and not just the gross number of years, but the hours and hours of study and work. To become superlative masters of a domain takes substantial time commitment. Most hackers though already are wired to work like nutty fools figuring something out. Unfortunately that is usually in some silo of a domain. Getting outside of the silo and creating the discipline to attack problems broadly will make them way more effective inside the silo.

There is another pitfall. Hackers in general don’t like rules being imposed on them. The hacker community is filled with all kinds of cultural baggage that are rules, but they rarely acknowledge that. They have a hard time with imposed rules and being culturally open to the differences between their community and higher education. To be blunt they are socially unable in some cases to move between any community and their own where they have bought in on the cultural values. That kind of narrow mindedness often creates issues when operating outside of their own social circle. As it would for any insular group. Kind of like the first rule of “fight club” even brining that particular point up engenders negative emotions in the hacker community.

8) Long term, what is the direction of information security and systems security education for the hacker community?

Professionalism. The hacker community has an assumption of owning information security. That is not true nor will it ever be true. If the domain exists and moves forward and saying it that way is not a mistake. If the information security discipline even exists in a few years is a worthy conversation and part of challenging assumptions. The hacker community will likely be a side line part of the effort. The domain will be professionalized and it will be insulated within a professional type of hierarchy if it is valued by society.

The hacker community if it is not behind or leading such an effort will be brought up short and placed into an outsider status much like they were when computer manufacturing moved from kits to mass production. The entire computing discipline or domain is in flux as we speak. The broader appeal of hacker conventions or the security community (small as it is) is increased by the social factors more than the discipline extending factors.

As professionalism intrudes the hacker community must either get on board or accept the decreased impact of their social class. Thinking about the the denigration heaped by the hacker community on the CISSP and verbiage like “cyber” you can see that they are hurting themselves more than helping. When the requirement is to drink booze for using the word “cyber” (and as funny as that is to me) it undermines the community influence on people who have the ability to compel.

Outside of the community are people who have the ability to compel and set policy or law. If the community is seen as a bunch of hostile drunks with criminal intentions then it will have a hard time getting heard. As various subsections and groups undermine other subsections and groups for not doing it “their way” the effect gets worse. The fragmented environment and vapid support for some criminals by security cons has raised more than a few eyebrows.

That isn’t to say outside of the hacker community things haven’t gotten silly too. I am constantly reminding myself of that silliness by a certain poster for celebrity information security conference. When you are the bottom the only way is up or being innovated out of existence.

RSS Links

Cyber?

Cyber security and the technologies of securing the information enterprise of industry and government require a trans-disciplinary while still STEM focused research agenda. The term “cyber” itself denotes a human cognitive centric concept that deals with the disintermediation of technology centered within human activity. The changing focus from system threat mitigation to enterprise risk management has opened completely new areas of inquiry into security.